Request to become a maintainer

The project link is https://www.drupal.org/project/simple_cron/ → .
Edvinas Baranauskas logged in at least once in the past six months. I am going to contact him.

This is the message I sent to Edvinas Baranauskas.

Hello Edvinas,

I am contacting you because Daniel ( https://www.drupal.org/u/dcimorra → ) offered to become maintainer for Simple Cron ( https://www.drupal.org/project/simple_cron/ → ), a project you created for which you are project owner and sole maintainer.

May you post a comment on https://www.drupal.org/project/projectownership/issues/3453929 → about accepting or declining the offer? Please do not reply via email; we need a reply on the offer issue. In the case you accept the offer, you can also add Daniel as maintainer.
Without a comment posted on that issue in the next 14 days, Daniel will be probably made maintainer.

Neither project moderators nor site moderators will remove the existing maintainers/co-maintainers; the project owner will not be replaced either. Maintainers cannot change the project owner; co-maintainers/maintainers can only be removed/added by people who have the permission to administer co-maintainers/maintainers.

A last note: This offer is about being maintainer, which for us means somebody with all the drupal.org permissions on the project: Write to VCS, Edit project, Administer maintainers, Maintain issues, Administer releases. A person who does not have all those permissions is a co-maintainer.

Best regards,
Alberto Paderno
-- Drupal.org project moderator
-- Drupal.org site moderator

The status has been changed because we are waiting for a reply.

@apaderno:
The module is security covered and the applicant does not appear to have the security opt in role.

Additionally this issue was only open ~10 days.

It is my understanding per https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or... → this should have been moved back to the project queue on both counts above.

📌 Automate the majority of the ownership transfer process (retain human approval) Active would have (if implemented as proposed) prevented this from reaching this point at multiple checkpoints.

Since I contacted the project owner, the issue can also stay here, as the project owner got the issue link.

As project moderator, I can contact the project maintainer before 14 days; sometimes I could contact the maintainers even in the case the person who offered to be co-maintainer/maintainer cannot opt projects into security advisory policy (which does not mean that person will be added as co-maintainer/maintainer).

What I forgot to do is posting a comment explaining in which cases project moderators adds co-maintainers/maintainers to dcimorra.

@dcimorra Project moderators will not add as co-maintainers/maintainers people who cannot opt projects into security advisory coverage → .
I sometimes contact the project maintainers also in those cases, but that does not mean I am going to make an exception to what reported in Offering to become a project owner, maintainer, or co-maintainer → .

I apologize I did not make that clear earlier.

Okay, I'll wait.

However, it does not seem reasonable to me that a module that is active in the community should be abandoned just because the person who proposes to maintain it is not included in the security advisory coverage.

The community gives life to Drupal.

However, it does not seem reasonable to me that a module that is active in the community should be abandoned just because the person who proposes to maintain it is not included in the security advisory coverage.

While D.O. tries to make a project takeover sound 'routine' from a security engineering standpoint this process is currently a combination of
A social engineering attack (convincing D.O. that the module is abandoned) and a supply chain attack (injecting your code into the repository to be used downstream).

A request to become a maintainer is requesting a 3rd party (the D.A./D.O. admin team) who does not 'own' the software to take action that allows code that has not been vetted by the project 'owner' to be deployed to 3rd party sites.

While you may have honest good intentions and posses security skills, from a security engineering standpoint all attempts of 3rd parties to takeover a project generally should be assumed to be not meeting those conditions. This is not to say I believe the process as it now is works, see 🌱 [META] Increase Security of Project Ownership Transfer Process Active which goes into a number of concerns I have with the current system, it is just to say that the process has to start somewhere and the permission is a 'bare minimal' standard that can be applied in a non-subjective manner.

Allowing takeovers of source code repositories is non-common in the IT industry, with only a few major sites allowing such (see comments #4 and #5 in ✨ Prohibit the ability to adopt a project Active )

I will note that even if you do not obtain the security opt in permission you can fork the existing module into a new namespace and publish on your own( keep all existing commits and attributions per GPL). You may encourage users to consider using your module instead of the abandoned module, especially if you provide the ability to import/use existing configuration. As you said "The community gives live to Drupal" sometimes that means taking a leap and doing something.

As another alternative you can always approach anyone you may know on D.O. who is willing to adopt the module and they can add you as a maintainer once they receive project rights.

Offering to maintain as well, I have security coverage clearance and could work together with the members of the community that are actively interested in keep Simple Cron up to date to process the open issues.

Cheers
-- Stefanos

I would also be happy to help maintain and have security coverage. Should we be creating separate issues for offers?

This will block upgrades to Drupal 11 soon now that we are in D11 beta. Not sure correct status, but hopefully Needs Review is the right one

Should we be creating separate issues for offers

Generally each individuals has needed to go through the process from start to finish on their own.

Especially important when one consider this thread, the applicant would have not been eligible to takeover the module and all communication may have been ignored because of that.

Okay sounds good thank you! Created a new issue here 💬 Offering to co-maintain Simple Cron Needs review